As a Principal with Praetorian, I’ve had the privilege of working with hundreds of clients, from fast growth startups to Fortune 500 giants. As we’ve performed red team exercises simulating an advanced persistent threat against our clients, I’ve seen that (much) more often than not we are able to compromise their “crown jewels.” In several cases it has only taken hours to become privileged admins inside the networks of Fortune 100 companies. I believe our security engineers are amongst some of the best, but I can only imagine nation states and certain criminal organizations are able to achieve similar accesses as quickly.
There is an elephant in the room for cybersecurity. The uncomfortable truth of the current state is that many organizations will struggle and ultimately fail to keep a sophisticated attacker from breaching critical assets. This truth persists despite technical innovations, smart people, and billions of dollars invested.
Through many conversations with security leaders, I’ve come to the opinion that many security programs spend too much time and money on things that do not appreciably reduce their organization’s risk. Lots of effort, insufficient results. Although my experience is anecdotal, I’ve seen a number of common factors that contribute to security program ineffectiveness.
From these same conversations, I’ve also found common characteristics of security programs that demonstrate the sustained ability to keep attackers at bay.
These challenges and opportunities have been captured in our new whitepaper, The Elephant in the Room: Why Security Programs Fail. Download the whitepaper.